Bug in Connection::FlipRoles

To whom it may concern,

Sorry if I'm not following the proper procedure; this is my first post on this list (please be gentle and point me in the right direction).

There is a bug in Conn.cc in the Connection::FlipRoles routine:

725,726c725,726
< resp_addr = orig_addr;
< orig_addr = tmp_addr;

Sorry if I'm not following the proper procedure; this is my first post on this list (please be gentle and point me in the right direction).

There’s some suggestions on how to contribute at [1]. For straight-forward/complete/small patches it’s probably easiest to fork on github and submit a pull request. For anything else, creating a ticket at tracker.bro.org w/ a proposed patch attached is helpful so things don’t get lost. I created a ticket for this at [2] for now if you want to create an account and “watch” it.

[1] http://bro.org/development/contribute.html
[2] https://bro-tracker.atlassian.net/browse/BIT-1148

There is a bug in Conn.cc in the Connection::FlipRoles routine:

725,726c725,726
< resp_addr = orig_addr;
< orig_addr = tmp_addr;
---

  orig_addr = resp_addr;
  resp_addr = tmp_addr;

That does indeed look wrong, thanks.

However, this change does not address the issue when it occurs in an a connection that is to be captured via expect_connection (e.g., ftp_data). I did some digging into this aspect of out-of-order handshakes but it is a bit more involved than the main line connection processing. If anyone has advice on that aspect of this issue I'm all ears.

If I understand right, this is a separate issue from the bad address swapping. If you’re getting at the scheduled/expected analyzers mechanism doesn’t take in to account this Connection::FlipRoles code path, I think you’re right.

- Jon